New phishing scam gets personal

The targeted campaign that includes valid credit or debit card numbers may put another nail in the e-commerce coffin.

A new, personalized phishing scam targeting customers of a number of leading banks is likely to be quite successful -- and may impact the bottom line of organizations that allow online transactions -- experts fear.

"A major impact of this scam could be loss of potential sales online," said Amir Orad, Cyota's executive vice president of marketing. "It will have an impact on the bottom line of every business that uses this channel of revenue."

Cyota Inc., which aids financial institutions with antifraud and online security measures, today announced it has detected a dangerous new phishing attack in which fraudsters are using stolen information to target account holders by name to lure them into divulging additional sensitive information.

According to the New York-based company, a merchant was the victim of a theft that

More on phishing

E-mail policies -- A defense against phishing attacks

Experts weigh in on phishing and other e-pariah

Online fraud 101

gave the attackers names, e-mail addresses and credit card numbers. Using this information, they sent out thousands of e-mails to individual customers, which appear to come from the actual bank that issued the credit card. It lists the card number and asks only for other information, such as a PIN, to create duplicate ATM cards. The victim's account is then cleaned out.

"While many phishing attacks have a 3% or 4% success rate on average, this one will be much higher," Orad said. "Once you get customer information, phishing becomes much easier. As more sensitive information becomes available through hacking, lost information and semi-legal transactions, it becomes harder to distinguish fraudulent communications from legitimate business ones."

Cyota said the motive behind this complex phishing scam is likely to "enhance existing lists of stolen credentials with even more sensitive information not yet possessed by the fraudsters, such as ATM PIN numbers or credit card CVD codes." In a statement, the company said, "These complete sets of credentials have a much higher resale value among the online fraud communities than just the names and account numbers."

A security manager at one financial firm declined to be named, but said that someone quite knowledgeable about banking must be involved in the scam. He believes that someone at a bank, credit card company or collections agency may be involved.

He added that though the group appears well organized, they aren't likely part of organized crime. "They know what to do, but don't have the resources of organized crime -- yet. If you had that kind of infiltration, why would you need to phish?"

Such phishing scams are difficult to defend against. Cyota recommends that if consumers get an e-mail from a bank or online merchant requesting personal or account information that they don't click on any link within the e-mail, but instead go directly to the site to verify the request or complete the transaction. Enterprises need to focus on user awareness and education to mitigate these scams.

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close